Skip to main content

CVE-2025-5981: CWE-427 Uncontrolled Search Path Element in Google osv-scalibr

Medium
VulnerabilityCVE-2025-5981cvecve-2025-5981cwe-427
Published: Wed Jun 18 2025 (06/18/2025, 08:28:02 UTC)
Source: CVE Database V5
Vendor/Project: Google
Product: osv-scalibr

Description

Arbitrary file write as the OSV-SCALIBR user on the host system via a path traversal vulnerability when using OSV-SCALIBR's unpack() function for container images. Particularly, when using the CLI flag --remote-image on untrusted container images.

AI-Powered Analysis

AILast updated: 06/18/2025, 09:04:39 UTC

Technical Analysis

CVE-2025-5981 is a medium-severity vulnerability affecting version 0.1.3 of Google's OSV-SCALIBR, a tool used for analyzing and unpacking container images. The vulnerability is classified under CWE-427, which pertains to uncontrolled search path elements. Specifically, the flaw arises in the unpack() function when handling container images via the command-line interface flag --remote-image. An attacker supplying a crafted, untrusted container image can exploit a path traversal weakness to perform arbitrary file writes on the host system with the privileges of the OSV-SCALIBR user. This occurs because the unpack() function does not properly sanitize or restrict file paths extracted from the container image, allowing malicious paths to escape intended directories and overwrite or create files elsewhere on the host filesystem. The vulnerability requires local access with low privileges (PR:L), partial authentication (AT:P), and user interaction (UI:A), but the attack vector is local (AV:L), meaning the attacker must have some level of access to the host to invoke the vulnerable functionality. The impact on confidentiality is high due to potential overwriting of sensitive files, integrity impact is low, and availability impact is none. The scope is limited to the OSV-SCALIBR user context, and no privilege escalation is indicated. No known exploits are currently reported in the wild. The CVSS 4.0 vector score is 5.7, reflecting a medium severity rating. This vulnerability highlights the risks of processing untrusted container images without adequate path validation, which can lead to arbitrary file system modifications and potential compromise of the host environment where OSV-SCALIBR is deployed.

Potential Impact

For European organizations utilizing OSV-SCALIBR version 0.1.3, particularly in DevOps, container security, or software supply chain analysis workflows, this vulnerability poses a risk of arbitrary file writes on host systems. While the attack requires local access and user interaction, exploitation could allow attackers to modify critical files, implant malicious code, or disrupt container analysis processes. This can lead to compromised build pipelines, tampered security assessments, or persistence within development environments. Organizations relying on OSV-SCALIBR for container image security may face integrity risks to their software supply chain and potential exposure of sensitive data if configuration or credential files are overwritten. The medium severity rating suggests that while the vulnerability is not trivially exploitable remotely, the impact on confidentiality and integrity within affected environments is significant enough to warrant prompt remediation. Given the increasing reliance on containerized applications across European enterprises, especially in sectors like finance, manufacturing, and technology, the threat could disrupt critical development and deployment operations if left unaddressed.

Mitigation Recommendations

1. Upgrade OSV-SCALIBR to a patched version once available from Google, as no patch links are currently provided but should be prioritized upon release. 2. Until a patch is available, restrict usage of the --remote-image flag to trusted container images only, avoiding untrusted or external sources. 3. Implement strict access controls and monitoring on systems running OSV-SCALIBR to limit local user access and detect anomalous unpack() invocations. 4. Employ container image scanning and validation tools upstream to ensure images are free from path traversal payloads before analysis. 5. Use sandboxing or containerization to isolate OSV-SCALIBR runtime environments, minimizing the impact of arbitrary file writes. 6. Conduct regular audits of file system integrity on hosts running OSV-SCALIBR to identify unauthorized changes. 7. Educate DevOps and security teams about the risks of processing untrusted container images and enforce policies accordingly.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Google
Date Reserved
2025-06-10T12:31:04.353Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 68527d9ba8c9212743879169

Added to database: 6/18/2025, 8:49:31 AM

Last enriched: 6/18/2025, 9:04:39 AM

Last updated: 7/31/2025, 5:30:39 AM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats